From e8fe024b770f554ec37522f1136f08255a66f71e Mon Sep 17 00:00:00 2001 From: CPunch Date: Thu, 19 Jan 2023 20:50:30 -0600 Subject: [PATCH] roles/git: ssh known_hosts is now idempotent - roles/git now uses blockinfile to ensure the github ssh keypairs are trusted, and to allow subsequent ssh keypairs to be trusted and not overwritten by future runs. - this commit marks idempotency for all roles. after a successful run of this playbook, subsequent runs will result in a change=0 !!!!! --- roles/git/tasks/main.yml | 15 ++++++++------- roles/gitea/tasks/main.yml | 2 +- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index 646e5fa..f30efb9 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -9,21 +9,22 @@ # make sure our vps trusts the github.com key signature. we pipe the output # of ssh-keyscan into .ssh/known_hosts -# TODO: make idempotent - name: Scan for SSH host keys command: ssh-keyscan github.com 2>/dev/null register: ssh_scan + changed_when: false -- name: Update known_hosts - copy: - content: "{{ ssh_scan.stdout_lines|join('\n') }}" - dest: /root/.ssh/known_hosts +- name: Update .ssh/known_hosts + blockinfile: + path: /root/.ssh/known_hosts + block: "{{ ssh_scan.stdout_lines|join('\n') }}" + insertbefore: BOF + create: yes owner: root mode: u=rw,g=,o= - force: no # if we already have a known_hosts file, ignore! # this keypair is trusted under my github account, so it allows my vps to make pushes -# to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh) +# to the main branch of my openpunk repository. (see roles/deadswitchfiles/imdead.sh) - name: Install ssh priv key copy: diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 788e0a8..ace00c1 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -2,7 +2,7 @@ - name: Check if Gitea is installed shell: gitea --version register: validate_gitea - changed_when: false + changed_when: no - name: Add Gitea key && repository block: